Ministryhack attack on Ukrainian resources continued — personal data of citizens published on a hacker forum
Last week, we wrote about the Ministryhack attack on websites and other resources of Ukrainian state institutions. Many Ukrainians immediately felt this cyberattack, because electronic documents stopped working, the convenience of which everyone is accustomed to. Despite the fact that many resources have been restored over the past week, on the night of January 21–22, a new blow was dealt to the Ukrainians. On the hacker resource RaidForums, an announcement was published about the sale, for $15 000, of roughly 20 gigabytes of archives containing the personal data of Ukrainian and foreign citizens.
In total, three archives have been published with data, respectively, of 2.6, 13.5, and 4.1 million citizens. The archives contain passport data, phone numbers, photographs, data on individual entrepreneurs, and so on.
According to preliminary data, the archives contain information from various public and private sources. Presumably, the data was obtained using Diya services, by compromising eHealth (Ministry of Healthcare, National Healthcare Service), resources of fiscal authorities, Kitsoft, some banks, and so on. Some data is as recent as the end of December 2021, although there is also some outdated data.
The authors of the announcement are also advertising the sale of data from such resources as health.mia.software (Infotech state enterprise), minregion.gov.ua (Ministry of Communities and Territories Development of Ukraine), wanted.mvs.gov.ua (search resource of the Ministry of Internal Affairs of Ukraine), e-driver.hsc.gov.ua (electronic driver’s office), and court.gov.ua (resource of Ukrainian judiciary).
We continue to report on the versions of the attack’s origin and share security recommendations you can rely on.
Microsoft revealed that on January 13, 2022, the company’s experts first discovered the malware, WhisperGate.
It is disguised as ransomware but is designed not to ransom target devices but to render them unusable by wiping or overwriting important files on infected systems.
It has also come to light that the aforementioned wiper software has worked at several institutions affected by the attack. Experts speculate that WhisperGate may have been part of the Ministryhack cyberattack.
The deputy secretary of Ukraine’s National Security and Defence Council, Serhiy Demedyuk, told Reuters that Ukraine suspects that the defaces were carried out by a hacking group known as UNC1151 and GhostWriter, an information operation agent linked to Belarusian intelligence.
However, the experts who are involved in this investigation report that until evidence is found, it is too early to draw conclusions. The investigation into this attack continues.
We recommended that the residents of Ukraine take the following actions:
- subscribe to services for credit status and credit history monitoring provided by banks;
- subscribe to monitoring services for state registries, such as Opendatabot;
- change passwords used for authentication on public resources;
- regenerate electronic digital signature certificates;
- regularly change the mentioned passwords and regenerate certificates, especially until the end of winter 2022.
In response to the malicious cyber incidents in Ukraine, including the defacement of government websites and the presence of destructive malware in Ukrainian systems, eminent cybersecurity agency CISA has published recommendations on cybersecurity measures to protect against potential critical threats. The CISA Insights Report urges executives and network defenders to be wary of malicious cyber activity and provides a checklist of specific actions that every organization, regardless of sector or size, can take immediately to:
- reduce the likelihood of a destructive cyber intrusion,
- detect a potential intrusion,
- ensure that the organization is prepared to respond in case of an intrusion, and
- maximize the organization’s resilience to disruptive cyber incidents.
We recommend that senior executives and information security professionals read the CISA Insights bulletin and implement the cybersecurity measures outlined in the checklist.
Seek our help if you lack the resources or expertise to implement these recommendations on your own.